I thought this was really funny ( fortigate tac report no ipv6 route details )

I was working an issue with  ipv6 routing and had to generated a  tac report ( cli cmd  execute tac report ) and the output had no  ipv6 routes details.

Fortinet typically  does good with most of the features pertaining to ipv6 , but they totally struck out on this one.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

JunOS 12.3x48 rls is out

I'm in the process of downloading and reviewing the rls notes for this firmware.

And the only new feature that seemed of interest to me was  VRRPv3 and Ipv6 transparent mode. The latter will be quite interesting to see what and how a SRX mid-range platform works

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Playing the IOS "shell" game

Cisco IOS has started to provide  a limit  shell like functions with in the IOS code.  This allows you to use  simple unix shell commands suchs as;  wc, grep, more, tail, sleep,etc....


Here's a few example, but 1st you have to  execute the shell process via your terminal command

e.g

terminal shell

 

How about setting a variable

A simple word count of our config file

More examples;

 

You have a host of options for deploying the IOS shell in your scripts or day to day uses.





Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

HOWTO set a cisco ASA firewall policy in a inactive state

When working with policies on the cisco ASA firewall, you sometimes needs to disable a fwpolicy. This beats setting up a denial or removing the policy.


The easiest way to  take a policy and is to change the status to inactive to accomplish a disable state. The policy will still be install but will not match or deny.

e.g

access-list EXTERNAL-in extended permit udp host 1.1.1.1 object RAD01 eq 1812


and now;

access-list EXTERNAL-in extended permit udp host 1.1.1.1.1 object RAD01  eq 1812 inactive


This is the easiest method for ensuring the firewall policy will not be enabled.

You might want to run packet-tracer to ensure that no other configure firewall acl is allowing traffic




Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

my card#1 woes ASA 5585-X

Okay I found out whymy replacement card  for slot#1 was not working.

http://socpuppet.blogspot.com.es/2015/02/i-found-out-my-ips-reloading-on-asa.html

Cisco TAC sent me  the wrong card, and not once but twice.

It boils down to the RMA creation didn't read the cards model correctly;

 ASA5585-SSP-IPS20

vrs

ASA-SSP-20-K8=


So now I'm relieved on what was the final issues with the card. I knew something wasn't quite right when we inspected the card in that my small daughter board that sits on the left side behind the  drive bay was missing on both newly sent cards.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  !  ! )=
       o 
      /  \

Mobile security and discovery beaware

When you are using a open or any foreign wifi-service like at a cafe hotspot or the hotel, you could be  presenting  yourself for exposure by bonjour types of discovery.

Take a list of machines located at a hotel that I recently stayed at in Spain;

And here's a listing of devices found from afp-server services;

And even printers are exposed;

One thing that you need to considered, most hotSpot implementation filter ipv4 unicast to unicast traffic by isolation, but they don't so so great up a job nor should be trusted to filter ipv6. Take a simple trick of a ipv6-mlticast ping to the ALL-HOST and look at what I discovered ( ff02::1 )

Now I have a list of  ipv6 hosts that I can probe or attack;

And you can check for open shares with no logins by using the link-local address of the target ;

e.g

afp:[fe80::1cbb:deef:837b:3401]

Just a few concerns that you should be aware when using the  local WiFi access at that Airport/Cafe/Hotel/etc......

Now you can do some things to  reduce this;


   disable mDNS
   ensure your local firewall is enabled
   disable all services on wifi nic that would expose services
   install a local end-point control application
   ensure passwords for everthing ( no guest accounts )
   and deploy very strong pass-phrases


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

GSMK cryptophone

I was at the MWC forum in Barcelona and ran across the GSMK cryptophone  500 http://www.cryptophone.de/ .   Outside of  thermal imaging for phones, this was the only items that I was actually looking forward to seeing & it seems very useful.

This a highly rated  crypto phone for secured voice and messaging. The phone supports military grade encryption using either  AES or 2fish. These phones aren't cheap, and can cost way over  2K usd.  But you have to pay to have "security" and the need to protect your phone transmissions.

In the  single page brochure  that I picked up at GSMK booth, they stated  "the keys used for each call are destroyed upon call termination ". 

So this tells me the keys are setup per call and are ephemeral in usage

The local GSMK representative didn't elaborated on what this actually meant btw.

Also they where tight lip about any 3rd party evaluations, which I thought was strange and interesting to say the least. Also keep in mind you can only establish secured voice paths between 2 GSMK phones. So if your called party is not a GSMK phone, they would be out of luck in regards to security.

Stay tune ,  my future forecast  still has me seeing mobile device security products and software becoming the new "it" in our day 2 day lives.


I believe mobile phone encryption is going to be the next "new" thing for the general end-user. This means voice, text messaging and phone security hardening.  Google has already start this  ( the latter ) within "Android Lollipop" and Apple is the next phone OS to included this also.

Instead of this being the "non-normal" it will become the normal and automatic or dynamic in function & operation. No different than putting on your pants or grabbing your car keys. The US gov will do all that it can to  restrict,  control or vociferate why they need to beable to spying on you & your communiqués,  but the world is going to change and for the better and that means better protection for the johnQs of this world.

As more and more users demand this level of security for phone transmissions, than the prices for the end devices will drop as supply are up built to support the user requirements. I believe the same methods deployed for securing web and some type of public-key would be the ideal method for setting up the end2end encrypted channel for voice and text.

" think of a voice vpn if you may well "


I will leave you with  this photo,  a lot of China firms where  pushing  waterproof phones & tablets. I thought this ideal was great for the outdoor person. Or if you decide to use your phone or tablet in the pool,  bath tub  or while boating.

 ( yes that's a phone submerged in water )

Here's one more ideal of security they have a good video on data interception by yours or foreign government  https://www.seecrypt.com/


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \